Encryption at the mercy of the law

The Regulation of Investigatory Powers (RIP) Bill, which allows police to intercept network data, sparked a storm of controversy when it was published by the UK government.

The Bill, published on 10 February, updates legislation on the monitoring and interception of public and private communications and data by law enforcement agencies. It sets out rules and regulations for wire-tapping phones and data lines within ISP infrastructure, and the decoding of privately encrypted data.

RIP was published by the Home Office after the Department of Trade and Industry dropped similar legislation from the Electronic Communications Bill, which was passed late last year.

The Home Office publication came under fire because the proposals state that the police and security services should be empowered to force system managers to hand over decryption keys or the original plain text of email documents. Managers who are unwilling or unable to comply face a jail sentence.

Potential for abuse
Caspar Bowden, director of think-tank the Foundation for Information Policy Research, slammed the legislation and said it made the UK Britain the only country in the world to publish a law that could imprison users of encryption technology for forgetting or losing their keys.

"After trying and failing to push through mandatory key escrow, then voluntary key escrow, the government is resorting to key escrow through intimidation," said Bowden. "The corpse of a law laid to rest by Trade Secretary Stephen Byers has been stitched back up and jolted into life by Home Secretary Jack Straw."

Brian Gladman, ex-technical director for NATO, said: "The government says it wants the decryption keys rather than the information, but handing over the decryption keys opens up major potential for abuse. A warrant demanding the data be transferred into a legible form would suffice."

A fight for rights
Gladman explained there is also a tip-off clause, which states that it is forbidden to warn colleagues who use the same key that it has been compromised by the a third party.

ISPs are also expressing concern over the Bill because of clauses that will force them to install data and telecommunications monitoring tools into their infrastructures, and that they will also be expected to cover these costs themselves. However, liability is still undetermined and there is some indication in the legislation that the government may step in and pay for the tools.

Financial considerations
A spokesman for service provider Demon Internet said: "Given the complexity and pace of the Bill, we do have concerns related to the cost and responsibility for funding the equipment required for interception, the estimates for the anticipated frequency of interception, the timetable for agreement of new procedures, and the timetable for implementation."

Demon acknowledges that effective procedures already exist for the interception of voice communications, but explained that the interception of data communications involves a "much higher degree of complexity and is likely to require continual review given the pace of development in the internet industry".

Home Office officials argue that authorities should be allowed regulated access to encrypted data held on public and private networks to fight criminals and terrorists who use encryption to hide their activities and prevent detection.

Keeping up with technology
The government is attempting to placate the industry's fears of anti-privacy legislation being rushed through Parliament, with the intention of being placed on the statute books by October. Home Secretary Jack Straw said that none of the law enforcement activities specified in the Bill are new.

"Covert surveillance by police and other law enforcement officers is as old as policing itself; so too is the use of informants, agents, and undercover officers," said Straw.

The Home Office also takes the line that wire-tapping legislation already exists and that the Bill would ensure for the first time that the use of such techniques is properly regulated by law and externally supervised.

"The Human Rights Act and rapid changes in technology are the twin drivers of the new Bill," said Straw. "We must ensure that law enforcement operations are consistent with the duties imposed on public authorities by the European Convention on Human Rights and the Human Rights Act."